1、 International Telecommunication Union ITU-T Series XTELECOMMUNICATION STANDARDIZATION SECTOR OF ITU Supplement 2(09/2007) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY ITU-T X.800-X.849 series Supplement on security baseline for network operators ITU-T X-series Recommendations Su
2、pplement 2 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS Services and facilities X.1X.19 Interfaces X.20X.49 Transmission, signalling and switching X.50X.89 Network aspects X.90X.149 Maintenance X.150X.179 Administrative arrangements X.180
3、X.199 OPEN SYSTEMS INTERCONNECTION Model and notation X.200X.209 Service definitions X.210X.219 Connection-mode protocol specifications X.220X.229 Connectionless-mode protocol specifications X.230X.239 PICS proformas X.240X.259 Protocol Identification X.260X.269 Security Protocols X.270X.279 Layer M
4、anaged Objects X.280X.289 Conformance testing X.290X.299 INTERWORKING BETWEEN NETWORKS General X.300X.349 Satellite data transmission systems X.350X.369 IP-based networks X.370X.379 MESSAGE HANDLING SYSTEMS X.400X.499DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS Networking X.600X.629 Effici
5、ency X.630X.639 Quality of service X.640X.649 Naming, Addressing and Registration X.650X.679 Abstract Syntax Notation One (ASN.1) X.680X.699 OSI MANAGEMENT Systems Management framework and architecture X.700X.709 Management Communication Service and Protocol X.710X.719 Structure of Management Inform
6、ation X.720X.729 Management functions and ODMA functions X.730X.799 SECURITY X.800X.849 OSI APPLICATIONS Commitment, Concurrency and Recovery X.850X.859 Transaction processing X.860X.879 Remote operations X.880X.889 Generic applications of ASN.1 X.890X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 TELE
7、COMMUNICATION SECURITY X.1000 For further details, please refer to the list of ITU-T Recommendations. X series Supplement 2 (09/2007) i Supplement 2 to ITU-T X-series Recommendations ITU-T X.800-X.849 series Supplement on security baseline for network operators Summary Supplement 2 to ITU-T X.800 se
8、ries of Recommendations defines a security baseline against which network operators can assess their network and information security status in terms of readiness and ability to collaborate with other entities (operators, users and law enforcement authorities) to counteract information security thre
9、ats. This supplement can be used by network operators to provide meaningful criteria against which each network operator can be assessed if required. Source Supplement 2 to ITU-T X-series Recommendations was agreed on 28 September 2007 by ITU-T Study Group 17 (2005-2008). ii X series Supplement 2 (0
10、9/2007) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible
11、for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T st
12、udy groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basi
13、s with ISO and IEC. NOTE In this publication, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this publication is voluntary. However, the publication may contain certain mandatory provision
14、s (to ensure e.g. interoperability or applicability) and compliance with the publication is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words
15、 does not suggest that compliance with the publication is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this publication may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning
16、the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the publication development process. As of the date of approval of this publication, ITU had not received notice of intellectual property, protected by patents, which
17、 may be required to implement this publication. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2008 All rights reserved. No part of this publication may be
18、 reproduced, by any means whatsoever, without the prior written permission of ITU. X series Supplement 2 (09/2007) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this supplement. 1 4 Abbreviations and acronyms 2 5 Conventions 2 6 Operat
19、ors policy baseline and implementation 2 7 Technical tools baseline 3 8 Collaboration baseline 4 Bibliography. 6 X series Supplement 2 (09/2007) 1 Supplement 2 to ITU-T X-series Recommendations ITU-T X.800-X.849 series Supplement on security baseline for network operators 1 Scope Nowadays, there are
20、 thousands of network operators, ranging from long-established national incumbents (who have trusted each other for many years) to small, start-up networks with no track record and no real basis of establishing trust, so new problems that did not exist in the traditional regulated environment are no
21、w emerging. It is necessary for operators to know who they are dealing with and the extent to which they can trust other operators to avoid the security problems. Security baseline is the response to this new challenge. The use of this supplement might vary from country to country, according to regu
22、latory regimes. Some regulatory regimes may choose to require that network operators follow the requirements of this supplement. Some network operators may themselves require that other network operators meet certain level of security as a prerequisite to the interconnection. It is recommended that
23、an operator provide telecommunication service for users at the security level that is guaranteed by the implementation of this supplement. The services of higher security level may be provided on customers demand by the operator at a cost to the former. This supplement is organized into three groups
24、: operators policy baseline and implementation, technical tools baseline and collaboration baseline. These must be capable of being verified. Evaluation might be conducted by an operator itself as a declaration procedure or with the assistance of the evaluation body through the compliance certificat
25、ion. NOTE This security baseline includes both technical and management-oriented tools. 2 References None. 3 Definitions 3.1 Terms defined elsewhere This supplement uses the following terms defined elsewhere: 3.1.1 risk management: Coordinated activities to direct and control an organization with re
26、gard to risk b-ISO/IEC 27001. 3.1.2 security policy: The set of rules laid down by the security authority governing the use and provision of security services and facilities b-ITU-T X.509. 3.1.3 unauthorized access: An entity attempts to access data in violation of the security policy in force b-ITU
27、-T M.3016. 3.2 Terms defined in this supplement This supplement defines the following terms: 3.2.1 antiviral software: Computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (maleware). 2 X series Supplement 2 (09/2007) 3.2.2 distributed denial
28、 of service (DDoS): In the context of message handling, when an entity fails to perform its function or prevents other entities from performing their functions, which may be a denial of access, a denial of communications, a deliberate suppression of messages to a particular recipient, traffic floodi
29、ng, an MTA was caused to fail or operate incorrectly, an MTS was caused to deny a service to other users. DDoS threats include denial of communications, MTA failure, MTS flooding. 3.2.3 license agreement: Agreement between owner of the software and the user of its copy. 3.2.4 network operator: An or
30、ganization which operates a telecommunications network. 3.2.5 network operators information security: The state of the network operators information resources and infrastructure protection from random and deliberate influence, natural or artificial, that can cause damage to the network operator and
31、users of communication services. It is characterized by the ability to maintain confidentiality, integrity and accessibility of information during it storage, processing and transmission. 3.2.6 point of interconnect: The point where the operator connects users (or other operators) to the data transm
32、ission service with the declared quality. 3.2.7 service provider: An entity that offers services to users involving the use of network resources. 3.2.8 spam: The abuse of electronic messaging systems to indiscriminately send unsolicited bulk of messages. (Spam affects e-mail, short message systems,
33、IP multimedia systems and other communication systems.) 4 Abbreviations and acronyms This supplement uses the following abbreviations: DDoS Distributed Denial of Service IDS Intrusion Detection Service IPS Intrusion Prevention Service IRT Incident Response Team MTA Message Transfer Agent MTS Message
34、 Transfer System 5 Conventions None. 6 Operators policy baseline and implementation 6.1 Network operators information security provisions must comply with regulatory and legal requirements of the jurisdiction in which the operator is engaged in business activity. In addition, network operators must
35、meet local jurisdiction requirements regarding cooperation with law enforcement agencies. 6.2 It is recommended that the operator adopt a security policy that is based on recognized best practices (such as b-ISO/IEC 27002 and b-ITU-T X.1051) and risk assessment, that meets the demands of business ac
36、tivity, that complies with national legislation and that is in accordance with the internal network operator procedures. It is recommended that operators personnel and external participants (users, interconnected operators and other interested parties) be made aware of the requirements of the securi
37、ty policy. X series Supplement 2 (09/2007) 3 6.3 It is recommended that the operators security policy have a clause dedicated to delimitation of responsibility within the operators personnel, between the operator and its partners, and between the operator and its customers. 6.4 It is recommended tha
38、t the information security requirements that must be followed by personnel be included in the labour contracts (job specification, list of duties) of all employees dealing with publicly-accessible information resources. 6.5 Measures implemented to protect an operators resources or the resources of i
39、ts customers, should not result in harmful consequences for third parties in an information exchange, nor should any side effects of their deployment cause damage or inconvenience that exceeds the impact of the risk being mitigated. 6.6 It is recommended that network operators work collaboratively t
40、o address risks and vulnerabilities. 6.7 Implementation of security facilities should address the reduction of risk and the cost of such measures should reflect the value of the assets protected and the potential damage. 7 Technical tools baseline 7.1 It is recommended that the operator deploy all h
41、ardware and software in strict correspondence with the terms of license agreement, defined by the manufacturer. 7.2 It is recommended to only use individual accounts for access to the interfaces of communication hardware management. The deployment of group accounts is not recommended. 7.3 It is reco
42、mmended that default passwords (set by the manufacturer of the hardware or software) not be used to authorize access to network management interfaces, remote consoles or management and administrative accounts of any communication hardware and/or software. 7.4 It is recommended that the operator inst
43、all updates and patches in a timely manner as recommended by the manufacturer. It is recommended that the operator bring to the notice of users of the facilities, information about applicable patches and updates. 7.5 It is recommended that the information relating to the network management system be
44、 protected by confidentiality and integrity mechanisms or by using network segments physically isolated from service domains. 7.6 It is recommended to install anti-spoofing filters at the points of interconnect with other networks (operators) and end-users, which prevent the transmission of packages
45、 with the outgoing addresses from external networks or multicast addresses, as well as receiving packages with such addresses or with reserved or incorrect addresses. 7.7 It is recommended that inspected packages be labelled so that interconnected operators know that the outgoing address is correct.
46、 In case of traffic congestion, the labelled packages should be prioritized. 7.8 It is recommended that network operators and public information server owners deploy regularly-updated anti-viral software. 7.9 It is recommended to have facilities for detecting infected messages, marking and optionall
47、y deleting them. 7.10 It is recommended that each e-mail information server be enabled with spam-detecting software for all incoming messages and the possibility to mark messages with unsolicited information. The operators may use other methods for counteracting spam. For instance, they could, by pr
48、ior agreement, disconnect users connected to the networks manipulated by violators. 7.11 It is recommended that operators filter spam within their own network. 4 X series Supplement 2 (09/2007) 7.12 It is recommended that each e-mail server have the ability to limit the amount of outgoing messages f
49、rom one user within a unit of time (e.g., for protecting against spam or denial of service attacks). It is recommended to have the ability to delay the delivery of outgoing messages by such sender until the server administrator confirmation is obtained. 7.13 It is recommended that the operator deploy automated discovery of statistical traffic anomalies. It is recommended that such traffic anomaly analysis be used for effective counteraction to DDoS attacks. 7.14 It is recommended that the operator deploy techn